vpn management guide - sophos 10.x/10.6.2... · 2015-01-12 · vpn management guide page 6 of 96...

Cyberoam VPN Management Guide Version 10

Document version 1.0 – 10.6.2.378 - 12/01/2015

VPN Management Guide

of 96

Important Notice

Cyberoam Technologies Pvt. Ltd. has supplied this Information believing it to be accurate and reliable at the time of printing, but is presented without warranty of any kind, expressed or implied. Users must take full responsibility for their application of any products. Cyberoam Technologies Pvt. Ltd. assumes no responsibility for any errors that may appear in this document. Cyberoam Technologies Pvt. Ltd. reserves the right, without notice to make changes in product design or specifications. Information is subject to change without notice.

USER’S LICENSE

Use of this product and document is subject to acceptance of the terms and conditions of Cyberoam End User License Agreement (EULA) and Warranty Policy for Cyberoam UTM Appliances.

You will find the copy of the EULA at http://www.cyberoam.com/documents/EULA.html and the Warranty Policy for Cyberoam UTM Appliances at http://kb.cyberoam.com.

RESTRICTED RIGHTS

Copyright 1999 - 2015 Cyberoam Technologies Pvt. Ltd. All rights reserved. Cyberoam, Cyberoam logo are trademark of Cyberoam Technologies Pvt. Ltd.

Corporate Headquarters

Cyberoam House,

Saigulshan Complex, Opp. Sanskruti,

Beside White House, Panchwati Cross Road,

Ahmedabad - 380006, GUJARAT, INDIA.

Tel: +91-79-66216666

Fax: +91-79-26407640

Web site: www.cyberoam.com

http://www.cyberoam.com/documents/EULA.html

http://kb.cyberoam.com/default.asp?id=487&SID=&Lang=1.

http://www.cyberoam.com/


of 96

Contents

Preface ................................................................................................................................. 4 Introduction ......................................................................................................................... 6 Appliance Administrative Interfaces ................................................................................. 7

Web Admin Console ....................................................................................................................... 7 Command Line Interface (CLI) Console ......................................................................................... 8 Cyberoam Central Console (CCC) ................................................................................................. 8

Web Admin Console ......................................................................................................................... 9 Web Admin Language .................................................................................................................... 9 Supported Browsers ..................................................................................................................... 10 Login procedure ............................................................................................................................ 11 Log out procedure ........................................................................................................................ 12 Menus and Pages......................................................................................................................... 13 Page ............................................................................................................................................. 15 Icon bar ......................................................................................................................................... 16 List Navigation Controls ............................................................................................................... 17 Tool Tips ....................................................................................................................................... 18 Status Bar ..................................................................................................................................... 18 Common Operations .................................................................................................................... 19

Introduction to VPN .......................................................................................................... 21 Cyberoam VPN .................................................................................................................. 22

Policy ............................................................................................................................................... 23 Policy ............................................................................................................................................ 25

IPSec ................................................................................................................................................ 34 Manage IPSec Connection ........................................................................................................... 35 Failover Group .............................................................................................................................. 78

CISCO™ VPN Client ....................................................................................................................... 81 L2TP ................................................................................................................................................. 84

Configuration ................................................................................................................................ 84 Manage L2TP Connection ............................................................................................................ 87

PPTP ................................................................................................................................................. 92 Live Connections ............................................................................................................................ 95

IPSec Connections ....................................................................................................................... 95 SSL VPN Users ............................................................................................................................ 96


of 96

Preface

Welcome to the Cyberoam’s – VPN Management Guide.

This Guide provides information on how to configure Cyberoam VPN connections (IPSec, L2TP and PPTP) and helps you manage and customize the Appliance to meet your organization’s various requirements for remote users.

Cyberoam’s integrated Internet security solution is purpose-built to meet the unified threat management needs of corporate, government organizations and educational institutions. It also provides assistance in improving Bandwidth management, increasing Employee productivity, and reducing legal liability associated with undesirable Internet content access.

Guide provides a basic introduction to VPN and gives some fundamental information of those technologies that are relevant to the way Cyberoam implements VPN. It outlines how VPN tunnel is actually created and gives a detailed picture of the different settings that can be used to adjust the VPN policies using the Appliance.

The Appliances use Layer 8 technology to help organizations maintain a state of readiness against today's blended threats and offer real-time protection.

Note Default Web Admin Console username is ‘admin’ and password is ‘admin’. We recommend you to change the default password immediately after installation to avoid unauthorized access. All the screen shots in the Cyberoam User Guides are taken from NG series of Appliances. The feature and functionalities however remains unchanged across all Cyberoam Appliances.


of 96

Technical Support

You may direct all questions, comments, or requests concerning the software you purchased, your registration status, or similar issues to Customer care/service department at the following address:

Corporate Office

Cyberoam House,

Saigulshan Complex, Opp. Sanskruti,

Beside White House, Panchwati Cross Road,

Ahmedabad - 380006, GUJARAT, INDIA.

Tel: +91-79-66216666

Fax: +91-79-26407640


Cyberoam contact:

Technical support (Corporate Office): +91-79-66216565

Email: [email protected]


Visit www.cyberoam.com for the regional and latest contact information.


mailto:[email protected]




of 96

Introduction

The Appliances use Layer 8 technology to help organizations maintain a state of readiness against today's blended threats and offer real-time protection.

Unified Threat Management Appliances offer identity-based comprehensive security to organizations against blended threats - worms, viruses, malware, data loss, identity theft; threats over applications viz. Instant Messengers; threats over secure protocols viz. HTTPS; and more. They also offer wireless security (WLAN) and 3G wireless broadband. Analog modem support can be used as either Active or Backup WAN connection for business continuity.

The Appliance integrates features like stateful inspection firewall, VPN, Gateway Anti-Virus and Anti- Spyware, Gateway Anti-Spam, Intrusion Prevention System, Content & Application Filtering, Data Leakage Prevention, IM Management and Control, Layer 7 visibility, Web Application Firewall, Bandwidth Management, Multiple Link Management and Comprehensive Reporting over a single platform.

The Appliance has enhanced security by adding an 8th layer (User Identity) to the protocol stack. Advanced inspection provides L8 user-identity and L7 application detail in classifying traffic, enabling Administrators to apply access and bandwidth policies far beyond the controls that traditional UTMs support. It thus offers security to organizations across layer 2 - layer 8, without compromising productivity and connectivity.

The Appliance accelerates unified security by enabling single-point control of all its security features through a Web 2.0-based GUI. An extensible architecture and an ‘IPv6 Ready’ Gold logo provide Appliance the readiness to deliver on future security requirements.

The Appliances provides increased LAN security by providing separate port for connecting to the publicly accessible servers like Web server, Mail server, FTP server etc. hosted in DMZ which are visible the external world and still have firewall protection.

Layer 8 Security:

The Appliance’s features are built around its patent pending Layer 8 technology. The Layer 8 technology implements the human layer of networking by allowing organizations control traffic based on users instead of mere IP Addresses. Layer 8 technology keeps organizations a step ahead of conventional security solutions by providing full business flexibility and security in any environment including WI-FI and DHCP.

Note All the screen shots in this Guide are taken from NG series of Appliances. The feature and functionalities however remains unchanged across all Cyberoam Appliances.


of 96

Appliance Administrative

Interfaces

Appliance can be accessed and administered through:

1. Web Admin Console

2. Command Line Interface Console

3. Cyberoam Central Console

Administrative Access An administrator can connect and access the Appliance through HTTP, HTTPS, telnet, or SSH services. Depending on the Administrator login account profile used for access, an administrator can access number of Administrative Interfaces and Web Admin Console configuration pages.

Appliance is shipped with two administrator accounts and four administrator profiles.

Administrator Type

Login Credentials Console Access Privileges

Super Administrator

admin/admin Web Admin Console

CLI console

Full privileges for both the consoles. It provides read-write permission for all the configuration performed through either of the consoles.

Default cyberoam/cyber Web Admin console only

Full privileges. It provides read-write permission for all the configuration pages of Web Admin console.

Note We recommend that you change the password of both the users immediately on deployment.

Web Admin Console

Web Admin Console is a web-based application that an Administrator can use to configure, monitor, and manage the Appliance.

You can connect to and access Web Admin Console of the Appliance using HTTP or a HTTPS connection from any management computer using web browser:

1. HTTP login: http://<LAN IP Address of the Appliance>

2. HTTPS login: https://<LAN IP Address of the Appliance>

For more details, refer section Web Admin Console.


of 96

Command Line Interface (CLI) Console

Appliance CLI console provides a collection of tools to administer, monitor and control certain Appliance component. The Appliance can be accessed remotely using the following connections:

1. Remote login Utility – TELNET login

To access Appliance from command prompt using remote login utility – Telnet, use command TELNET <LAN IP Address of the Appliance>. Use default password “admin”.

2. SSH Client (Serial Console)

SSH client securely connects to the Appliance and performs command-line operations. CLI console of the Appliance can be accessed via any of the SSH client using LAN IP Address of the Appliance and providing Administrator credentials for authentication.

Note Start SSH client and create new Connection with the following parameters: Host – <LAN IP Address of the Appliance> Username – admin Password – admin

Use CLI console for troubleshooting and diagnose network problems in details. For more details, refer version specific Console Guide available on http://docs.cyberoam.com/.

Cyberoam Central Console (CCC)

Distributed Cyberoam Appliances can be centrally managed using a single Cyberoam Central Console (CCC) Appliance, enabling high levels of security for Managed Security Service Provider (MSSPs) and large enterprises. To monitor and manage Cyberoam using CCC Appliance you must:

1. Configure CCC Appliance in Cyberoam

2. Integrate Cyberoam Appliance with CCC using: Auto Discovery or Manually

Once you have added the Appliances and organized them into groups, you can configure single Appliance or groups of Appliances.

For more information, please refer CCC Administrator Guide.

http://docs.cyberoam.com/


of 96

Web Admin Console

CyberoamOS uses a Web 2.0 based easy-to-use graphical interface termed as Web Admin Console to configure and manage the Appliance.

You can access the Appliance for HTTP and HTTPS web browser-based administration from any of the interfaces. Appliance when connected and powered up for the first time, it will have a following default Web Admin Console Access configuration for HTTP and HTTPS services.

Services Interface/Zones Default Port

HTTP LAN, WAN TCP Port 80

HTTPS WAN TCP Port 443

The administrator can update the default ports for HTTP and HTTPS services from System >

Administration > Settings.

Web Admin Language

The Web Admin Console supports multiple languages, but by default appears in English. To cater to its non-English customers, apart from English, Chinese-Simplified, Chinese-Traditional, Hindi, Japanese and French languages are also supported. Administrator can choose the preferred GUI language at the time of logging on.

Listed elements of Web Admin Console will be displayed in the configured language:

Dashboard Doclet contents

Navigation menu

Screen elements including field & button labels and tips

Error messages


of 96

Supported Browsers

You can connect to the Web Admin Console of the Appliance using HTTP or a secure HTTPS connection from any management computer using one of the following web browsers:

The minimum screen resolution for the management computer is 1024 X 768 and 32-bit true xx-color.

Browser Supported Version

Microsoft Internet Explorer Version 8+

Mozilla Firefox Version 3+

Google Chrome All versions

Safari 5.1.2(7534.52.7)+

Opera 15.0.1147.141+

The Administrator can also specify the description for firewall rule, various policies, services and various custom categories in any of the supported languages.

All the configuration done using Web Admin Console takes effect immediately. To assist you in configuring the Appliance, the Appliance includes a detailed context-sensitive online help.


of 96

Login procedure

The log on procedure authenticates the user and creates a session with the Appliance until the user logs-off.

To get to the login window, open the browser and type the LAN IP Address of Cyberoam in the browser’s URL box. A dialog box appears prompting you to enter username and password.

Screen – Login Screen

Screen Element Description

Username

Enter user login name.

If you are logging on for the first time after installation, use the default username.

Password

Specify user account password.

Dots are the placeholders in the password field.

If you are logging on for the first time after installation with the default username, use the default password.

Language

Select the language. The available options are Chinese-Simplified, Chinese-Traditional, English, French, and Hindi.

Default – English

Log on to

To administer Cyberoam, select ‘Web Admin Console’

To view logs and reports, select “Reports”.

To login into your account, select “My Account”.

Login button Click to log on the Web Admin Console.

Table – Login Screen

The Dashboard appears as soon as you log on to the Web Admin Console. It provides a quick and fast overview of all the important parameters of your Appliance.


of 96

Log out procedure

To avoid un-authorized users from accessing Cyberoam, log off after you have finished working. This will end the session and exit from Cyberoam.

To log off from the Appliance, click the button located at the top right of any of the Web Admin Console pages.


of 96

Menus and Pages

The Navigation bar on the leftmost side provides access to various configuration pages. This menu consists of sub-menus and tabs. On clicking the menu item in the navigation bar, related management functions are displayed as submenu items in the navigation bar itself. On clicking submenu item, all the associated tabs are displayed as the horizontal menu bar on the top of the page. To view a page associated with the tab, click the required tab.

The left navigation bar expands and contracts dynamically when clicked on without navigating to a submenu. When you click on a top-level heading in the left navigation bar, it automatically expands that heading and contracts the heading for the page you are currently on, but it does not navigate away from the current page. To navigate to a new page, first click on the heading, and then click

on the submenu you want navigate to. On hovering the cursor upon the up-scroll icon or the

down-scroll icon , automatically scrolls the navigation bar up or down respectively.

The navigation menu includes following modules:

System – System administration and configuration, firmware maintenance, backup - restore

Objects – Configuration of various policies for hosts, services, schedules and file type

Networks – Network specific configuration viz., Interface speed, MTU and MSS settings, Gateway, DDNS

Identity – Configuration and management of User and user groups


of 96

Firewall – Firewall Rule Management

VPN – VPN and SSL VPN access configuration

IPS – IPS policies and signature

Web Filter – Web filtering categories and policies configuration

Application Filter – Application filtering categories and policies configuration

WAF – Web Application Filtering policies configuration. Available in all the models except CR15iNG and CR15wiNG.

IM – IM controls

QoS – Policy management viz., surfing quota, QoS, access time, data transfer

Anti Virus – Antivirus filtering policies configuration

Anti Spam – Anti Spam filtering policies configuration

Traffic Discovery – Traffic monitoring

Logs & Reports – Logs and reports configuration

Note Use F1 key for page-specific help. Use F10 key to return to Dashboard.

Each section in this guide shows the menu path to the configuration page. For example, to reach the Zone page, choose the Network menu, then choose Interface sub-menu from the navigation

bar, and then choose Zone tab. Guide mentions this path as Network > Interface > Zone.


of 96

Page

A typical page looks as shown in the below given image:

Screen – Page


of 96

Icon bar

The Icon bar on the upper rightmost corner of every page provides access to several commonly used functions like:

1. Dashboard – Click to view the Dashboard

2. Wizard – Opens a Network Configuration Wizard for a step-by-step configuration of the network parameters like IP Address, subnet mask and default gateway for your Appliance.

3. Report – Opens a Reports page for viewing various usage reports. Integrated Logging and Reporting solution - iView, to offer wide spectrum of 1000+ unique user identity-based reporting across applications and protocols and provide in-depth network visibility to help organizations take corrective and preventive measures.

This feature is not available for CR15xxxx series of Appliances.

4. Console – Provides immediate access to CLI by initiating a telnet connection with CLI without closing Web Admin console.

5. Logout – Click to log off from the Web Admin Console.

6. More Options – Provides options for further assistance. The available options are as follows:

Support – Opens the customer login page for creating a Technical Support Ticket. It is fast, easy and puts your case right into the Technical Support queue.

About Product – Opens the Appliance registration information page.

Help – Opens the context – sensitive help page.

Reset Dashboard – Resets the Dashboard to factory default settings.

Lock – Locks the Web Admin Console. Web Admin Console is automatically locked if the Appliance is in inactive state for more than 3 minutes. To unlock the Web Admin Console you need to re-login. By default, Lock functionality is disabled. Enable Admin Session Lock from System > Administration > Settings.

Reboot Appliance – Reboots the Appliance.

Shutdown Appliance – Shut downs the Appliance .


of 96

List Navigation Controls

The Web Admin Console pages display information in the form of lists that are spread across the multiple pages. Page Navigation Control Bar on the upper right top corner of the list provides navigation buttons for moving through the list of pages with a large number of entries. It also includes an option to specify the number entries/records displayed per page.


of 96

Tool Tips

To view the additional configuration information use tool tip. Tool tip is provided for many

configurable fields. Move the pointer over the icon to view the brief configuration summary.

Status Bar

The Status bar at the bottom of the page displays the action status.


of 96

Common Operations

Adding an Entity

You can add a new entity like policy, group, user, rule, ir host by clicking the Add button available on most of the configuration pages. Clicking this button either opens a new page or a pop-up window.

Editing an Entity

All the editable entities are hyperlinked. You can edit any entity by clicking either the hyperlink or

the Edit icon under the Manage column.

Deleting an Entity

You can delete an entity by selecting the checkbox and clicking the Delete button or Delete icon.

To delete multiple entities, select individual entity and click the Delete button.


of 96

To delete all the entities, select in the heading column and click the Delete button.

Sorting Lists

To organize a list spread over multiple pages, sort the list in ascending or descending order of a column attribute. You can sort a list by clicking a column heading.

Ascending Order icon in a column heading indicates that the list is sorted in ascending order of the column attribute.

Descending Order icon in a column heading indicates that the list is sorted descending order of the column attribute.

Filtering Lists

To search specific information within the long list spread over multiple pages, filter the lists. Filtering criteria vary depending on a column data and can be a number or an IP address or part of an address, or any text string combination.

To create filter, click the Filter icon in a column heading. When a filter is applied to a column,

the Filter icon changes to .

Configuring Column Settings

By default on every page all columnar information is displayed but on certain pages where a large number of columnar information is available, all the columns cannot be displayed. It is also possible that some content may not be of use to everyone. Using column settings, you can configure to display only those numbers of columns which are important to you.

To configure column settings, click Select Column Settings and select the checkbox against the columns you want to display and clear the checkbox against the columns which you do not want to display. All the default columns are greyed and not selectable.


of 96

Introduction to VPN

A Virtual Private Network (VPN) is a tunnel that carries private network traffic from one endpoint system to another over a public network such as the Internet without the traffic being aware that there are intermediate hops between the endpoints or the intermediate hops being aware that they are carrying the network packets that are traversing the tunnel. The tunnel may optionally compress and/or encrypt the data, providing enhanced performance and some measure of security.

VPN allows you to pretend that you are using a leased line or a direct telephone call to communicate between endpoints.

VPN allow users and telecommuters to connect to their corporate intranets or extranets and are cost-effective because users can connect to the Internet locally and tunnel back to connect to corporate resources. This not only reduces overhead costs associated with traditional remote access methods, but also improves flexibility and scalability.


of 96

Cyberoam VPN

For all corporates traveling or working from home, connecting securely to the corporate network is essential. With Cyberoam, setting up a VPN is almost effortless.

The two endpoints in Cyberoam VPN are referred to as:

Local – First endpoint is the local machine itself.

Remote – Second endpoint is the remote peer - the machine you are trying to establish a VPN connection to, or the machine which is trying to establish a VPN connection with you.

Cyberoam VPN automatically encrypts the data and sends it to the remote site over the Internet, where it is automatically decrypted and forwarded to the intended destination. By encrypting, the integrity and confidentiality of data is protected even when transmitted over the un-trusted public network. Cyberoam uses standard IPSec protocol to protect network traffic. In IPSec, the identity of communicating users is checked with the user authentication based on Digital Certificates, Public Keys or Preshared Keys.

The Appliance ensures that all the VPN traffic passing through the VPN tunnels is threat free. All the Firewall Rules and policies are applicable to the traffic going into the VPN tunnels and coming out of the VPN tunnels. The Appliance inspects all the traffic passing through VPN tunnels and makes sure that there are no viruses, worms, Spam, and inappropriate content or intrusion attempts in the VPN traffic. As VPN traffic is, by default subjected to the DoS inspection, Cyberoam provides a facility by which one can bypass scanning of traffic coming from certain hosts from VPN zone. The above functionality is achieved by adding an additional zone called the VPN zone. VPN traffic passes through VPN zone and the Firewall Rule can be applied to VPN zone.

The Appliance can be used to establish VPN connection between sites, LAN-to-LAN and Client-to-LAN connection. VPN is the bridge between Local & Remote networks/subnets.

The Appliance supports the following protocols to authenticate and encrypt traffic:

Internet Protocol Security (IPSec)

Layer Two Tunneling Protocol (L2TP)

Point-to-Point Tunneling Protocol (PPTP)

Secure Socket Layer (SSL)

Note VPN is not supported when the Appliance is deployed as a Bridge. Hence when you change the deployment mode from Gateway to Bridge mode, the Appliance will delete all the custom and default Firewall Rules pertaining to VPN zone, dynamic hosts and hosts groups, virtual hosts mapped to VPN zone, VPN zone from Local ACL. Firewall Rules and scanning is applicable to IPSec, L2TP and PPTP traffic.


of 96

Policy

Encryption and Authentication method

Authentication of communicating parties and integrity of exchanged data is crucial for the reliable implementation of VPN.

Encryption is used to provide confidentiality of data during negotiation. The Appliance supports 3DES encryption algorithm which is an extensively tested public algorithm and uses hash functions - message digest MD5 algorithm for Data integrity.

3DES: Triple (Data Encryption Standard) DES is a symmetric strong encryption algorithm that is compliant with the OpenPGP standard. It is the Application of the DES standard where three keys are used in succession to provide additional security.

AES: Advanced Encryption Standard AES offers the highest standard of security. The effective key lengths that can be used with AES are 128, 192 and 256 Bits.

This security system supports a number of encryption algorithms.

Serpent: Serpent is a 128-bit block cipher that encrypts and decrypts data in chunks of 128 bits with a variable key length of 128,192 or 256 bits.. The Serpent algorithm uses 32 rounds, or iterations of the main algorithm.

Serpent is faster than DES and more secure than Triple DES.

BlowFish: BlowFish is a symmetric encryption algorithm which uses the same secret key to both encrypt and decrypt messages. It is also a block cipher which divides a message into fixed length blocks during encryption and decryption. It has a 64-bit block size and a key length of anywhere between 32 bits to 448 bits and uses 16 rounds of the main algorithm

TwoFish: TwoFish is a symmetric key block cipher with a block size of 128 bits and key sizes up to 256 bits.

Preshared Key

An authentication mechanism whereby the key is used in encryption is exchanged beforehand/prior to negotiation with another system.

Preshared Key authentication is the process by which two systems prove their identity to each other where each system encrypts some unpredictable, arbitrary data with a key that has been exchanged beforehand. If they can successfully decrypt the message, it is assumed that the sender is valid.

A single shared key is used for encryption and decryption. The data is encrypted by a key and sent to the recipient over the Internet. At the receiving end, the data is decrypted with the exact same key that was used for encryption.

Digital Certificates

Digital Certificates is yet another authentication method that employs digital signatures and public key cryptography.

A Digital Certificate is a document that guarantees the identity of a person or entity and is issued by the trusted third party Certificate Authority (CA). Digital Certificate holders have a public or private key pair which can be used to authenticate the sender and decrypt the incoming message


of 96

ensuring that only the certificate holder can decode the message.

A certificate is used to associate a public/private key pair with a given IP Address or Host name and issued by CA for a specific period of time. A CA can be in-house CA, run by your own organization, or a public CA. To use certificates for negotiation, both peers have to generate public/private key pairs, request, and receive public key certificates, and are configured to trust the CA that issues the certificates.

Users can download and install certificate from Cyberoam.

Public Key

Public Key authentication uses two keys – public key available to anyone and a private key held by only one individual. The sender encrypts data with the recipient’s public key. Only the recipient can decrypt the data, being the only one who possesses the corresponding private key.


of 96

Policy

Policy describes the security parameters that are used for negotiations to establish and maintain a secure tunnel between two peers.

Before you set up your secure tunnels, to make their configuration faster and easier, you can create VPN policies that work on a global level. Rather than configuring the policy parameters for every tunnel you create, you can configure general policies and then later apply them to your secure tunnels.

Authentication mode

To ensure secure communication, there are two phases to every IKE (Internet Key Exchange) negotiation - Phase 1 (Authentication) and Phase 2 (Key exchange).

The Phase 1 negotiation establishes a secure channel between peers and determines a specific set of cryptographic protocols, exchanges shared secret keys and encryption and authentication algorithm that will be used for generating keys.

The Phase 2 negotiation establishes a secure channel between peers to protect data. During Phase 2 negotiation, the protocol security association for the tunnel is established. Either of the peers can initiate Phase 1 or Phase 2 renegotiation at any time. Both can specify intervals after which to negotiate.

Key life

Lifetime of a key is specified as Key life.

Once the connection is established after exchanging authenticated and encrypted keys, the connection is not dropped till the key life expires. If the key life of both the peers is not same then renegotiation will take place whenever the key life of any one peer is over. This means intruder has to decrypt only one key to break in your system.

Key generation and key rotation are important because the longer the life of the key, larger the amount of data at risk, and the easier it becomes to intercept more ciphered text for analysis.

Perfect Forward Secrecy (PFS)

It becomes difficult for a network intruders to get the big picture if keys are changing and they have to keep cracking keys for every negotiation. This is achieved by implementing PFS. By selecting PFS, new key will be generated for every negotiation and a new (Diffie-Hellman) DH key exchange is included. So every time the intruder will have to break yet another key even though he already knows the key. This enhances security.

Diffie-Hellman (DH) Group (IKE group)

Diffie-Hellman is a public-key cryptography scheme that allows peers to establish a shared secret over an insecure communication channel. Diffie-Hellman Key Exchange uses a complex algorithm and public and private keys to encrypt and then decrypt the data.

The Diffie-Hellmann Group describes the key length used in encryption. Group number is also termed as Identifiers.

DH Group Key length (bits)

1 768


of 96

2 1024

5 1536

14 2048

15 3072

16 4096

Negotiation fails if same groups are not specified on each peer. The group cannot be switched during negotiation.

Re-key Margin

This is the time before the next key is exchanged and is calculated by subtracting the time elapsed since the last key exchange from the key life. By turning Re-keying ‘Yes’, negotiation process starts automatically without interrupting the service before key expiry.

Dead Peer Detection settings

Is used to check whether the Appliance is able to connect the IP Address or not. Set time interval after which the status of peer is to be checked and what action to take, if peer is not alive.

Tunnel Negotiation

Negotiation process starts to establish the connection when local or remote peers want to communicate with each other. Depending on the connection parameters defined, the key is generated which is used for negotiations. Lifetime of key is specified as Key life. Once the connection is established, connection is alive/active and data can be transferred up to the specified key life. Connection will be closed/deactivated once the key expires.

If the connection is to be activated again then the entire negotiation process is to be started all over again. Negotiation process can be started again automatically by either the local or remote peer only if Allow Re-keying is set to ‘Yes’. Set the re-keying time in terms of the remaining key life when negotiation is to be started automatically without interrupting the communication before key expiry. For example, if key life is 8 hours and Re-key margin time is 10 minutes then negotiation process will automatically start after 7 hours 50 minutes of key usage.

Negotiation process will generate a new key only if Perfect Forward Secrecy (PFS) is set to ‘Yes’. PFS will generate a new key from scratch and there is no dependency between the old and new key.

Re-keying Result

Yes Local and remote peer both will be able to initiate a request for connection.

Depending on PFS, negotiation process will use same key or generate a new key.

No Only the remote peer will be able to initiate request for connection.

Depending on PFS, negotiation process will use the same key or generate a new key.

Cyberoam provides 5 default policies and you can also create a custom policy to meet your


of 96

organization’s requirement.

To make VPN connection configuration an easy task, following five preconfigured VPN policies are included for the frequently used VPN deployment scenarios:

Road warrior

L2TP

Head Office connectivity

Branch Office connectivity

Default

Manage VPN Policies

To manage custom VPN policies, go to VPN > Policy> Policy.

Duplicate – Click the duplicate icon in the Manage column against the VPN Policy to be duplicated. Add VPN Policy window is displayed which has the same values for parameters as the existing policy. Click OK to add a new policy with modification in values for parameters.

Note Default policy can be updated but cannot be deleted.

Screen – Manage VPN Policies

Screen Elements Description

Name Displays a name for the VPN Policy.

Keying Method Displays the Keying method.

Authentication Mode Displays the Authentication Mode selected: Main or Aggressive Mode.

Compress Displays whether compression is enabled or not.

PFS Displays whether Perfect Forward Secrecy is enabled or not.

Encryption-Authentication Algorithm

Displays the Encryption and Authentication Algorithm used for Phase1 and Phase2.

Re-Key Displays whether Re-Keying is enabled or not.


of 96

Key Negotiation Tries Displays the number of times “Key Negotiation Tries” is allowed.

DPD Displays whether Dead Peer Detection is enabled or not.

Action on Active Peer Displays the Action selected when Dead Peer Detection is activated: Hold, Disconnect, Re-initiate.

Duplicate Icon Duplicate the VPN Policy.

Table – Manage VPN Policies screen elements

VPN Policy Parameters

To add, edit or duplicate policies, go to VPN > Policy > Policy. Click the Add Button to add a

new policy or Edit Icon in the Manage column against the policy to be modified.

Screen – Add VPN Policy


General Settings

Name Specify a name to identify the VPN Policy.

Description Provide description for the VPN Policy.

Allow Re-Keying Enable Re-Keying to start the negotiation process automatically before key expiry. Process will start automatically at the specified time in re-key margin.

If enabled, negotiation process can be initiated by both the local or remote peer. Depending on PFS, the negotiation process will use same key or generate a new


of 96

key.

Key Negotiation Tries Specify maximum key negotiation trials allowed. Set 0 for unlimited number of trials.

Authentication Mode Select the mode of Authentication. Authentication Mode is used for exchanging authentication information.

Available Options:

Main Mode

Aggressive Mode – With Aggressive Mode, tunnel can be established faster than using Main Mode as less number of messages are exchanged during authentication and no cryptographic algorithm is used to encrypt the authentication information. Use Aggressive Mode when remote peer has dynamic IP Addresses.

Depending on Authentication Mode, the phase 1 parameters are exchanged for authentication purpose.

In Main Mode, the phase 1 parameters are exchanged in multiple rounds with encrypted authentication information while in Aggressive Mode phase1 parameters are exchanged in single message without encrypted information.

Pass Data in Compressed

Format

Disable to pass data in uncompressed format.

To increase the throughput, we recommend to keep it enabled so the data is passed in compressed form.

Default - Enable

PHASE 1

Encryption Algorithm Select the encryption algorithm that would be used by communicating parties for integrity of exchanged data for phase 1.

Supported Encryption algorithms: DES, 3DES, AES128, AES192, AES256, TwoFish, BlowFish, and Serpent.

3DES – Triple DES is a symmetric strong encryption algorithm that is compliant with the OpenPGP standard. It is the application of DES standard where three keys are used in succession to provide additional security.

AES – Advanced Encryption Standard offers the highest standard of security. The effective key lengths that can be used with AES are 128, 192 and 256 Bits. This security system supports a number of encryption algorithms.

Serpent – Serpent is a 128-bit block cipher that encrypts and decrypts data in chunks of 128 bits with a variable key length of 128,192 or 256 bits The Serpent algorithm uses 32 rounds, or iterations of the main algorithm.


of 96


BlowFish – BlowFish is a symmetric encryption algorithm which uses the same secret key to both encrypt and decrypt messages. It is also a block cipher which divides a message into fixed length blocks during encryption and decryption. It has a 64-bit block size and a key length of anywhere between 32 bits to 448 bits and uses 16 rounds of the main algorithm.

TwoFish – Twofish is a symmetric key block cipher with a block size of 128 bits and key sizes up to 256 bits.

Authentication Algorithm

Select Authentication Algorithm that would be used by communicating parties for integrity of exchanged data for phase 1.

Supported Authentication algorithms: MD5, SHA1

A maximum of three combination(s) of encryption and authentication algorithm can be selected. The remote peer must be configured to use at least one of the defined combinations.

Click to add more than one combination of encryption and authentication algorithm.

DH Group (Key Group) Select one Diffie-Hellman Group from 1, 2, 5, 14, 15 or 16. The DH Group specifies the key length used for encryption.

DH Group 1 uses 768-bit encryption






The remote peer must be configured to use the same group. If mismatched groups are specified on each peer, negotiation fails.

Key Life Specify the Key Life in terms of seconds. Key Life is the amount of time that will be allowed to pass before the key expires.

Re-key Margin Specify the Re-Key Margin. Set the time in terms of the remaining Key Life. Re-Key Margin is the time when the negotiation process should be started automatically without interrupting the communication before key expiry.

For example, if the Key Life is 8 hours and Re-key Margin is 10 minutes then negotiation process will automatically start after 7 hours 50 minutes usage of Key Life.


of 96

Randomize Re-Keying Margin By

Specify the Randomize Re-Keying time.

For example, if Key Life is 8 hours, Re-Key Margin is 10 minutes and Randomize re-Keying time is 20% then the Re-Key Margin will be 8 to 12 minutes and negotiation process will start automatically 8 minutes before the key expiry and will try up to 2 minutes after key expiry.

Dead Peer Detection Enable (Dead Peer Detection) DPD to check at regular intervals whether a peer is live or not.

Check Peer After Every Specify time after which the peer should be checked for its status. (Only if DPD option is “Enabled”). Once the connection is established, the peer which initiated the connection checks whether another peer is live or not.

Wait For Response Upto

Specify till what time (seconds) initiated peer should wait for the status response. (Only if Dead Peer Detection option is “Enabled”). If the response is not received within the specified time, the peer is considered to be inactive.

Action When Peer Unreachable

Specify what action should be taken if the peer is inactive. (Only if DPD option is ‘Enabled’ )

Available Options:

Hold – Holds the connection.

Disconnect – Closes the connection.

Re-initiate – Re-establishes the connection.

PHASE 2

Encryption Algorithm Select the Encryption Algorithm that would be used by communicating parties for integrity of exchanged data for phase 2.

Supported Encryption Algorithms: DES, 3DES, AES128, AES192, AES256, TwoFish, BlowFish, and Serpent.

3DES – Triple DES is a symmetric strong Encryption Algorithm that is compliant with the OpenPGP standard. It is the application of DES standard where three keys are used in succession to provide additional security.

AES – Advanced Encryption Standard offers the highest standard of security. The effective key lengths that can be used with AES are 128, 192 and 256 Bits. This security system supports a number of Encryption Algorithms.

Serpent – Serpent is a 128-bit block cipher i.e. data is encrypted and decrypted in 128-bit chunks variable key length to be 128, 192, or 256 bits. The Serpent algorithm uses 32 rounds, or iterations of the main algorithm.


BlowFish – BlowFish is a symmetric Encryption Algorithm which uses the same secret key to both encrypt


of 96

and decrypt messages. It is also a block cipher which divides a message into fixed length blocks during encryption and decryption. It has a 64-bit block size and a key length of anywhere from 32 bits to 448 bits and uses 16 rounds of main algorithm.

TwoFish – Twofish is a symmetric key block cipher with a block size of 128 bits and key sizes up to 256 bits.


Select the Authentication Algorithm that would be used by communicating parties for integrity of exchanged data for phase 2.

Supported Authentication Algorithms: MD5, SHA1

A maximum of three combination of encryption and authentication algorithm can be selected. The remote peer must be configured to use at least one of the defined combinations.

Click to add more than one combination of encryption and authentication algorithm

PFS Group (DH Group) Select one DH group from 1, 2, 5, 14, 15 or 16. DH Group specifies the key length used for encryption.







The remote peer must be configured to use the same group. If mismatched groups are specified on each peer, negotiation fails.

If “Same as Phase 1” is selected PFS group specified at connection initiator’s end will be used.

If No PFS is selected, this security parameter cannot be added for Phase 2.

Key Life Specify the Key Life in terms of seconds.

Key Life is the amount of time that will be allowed to pass before the key expires.

Default time is 3600 seconds.

If Manual Keying method is selected

Local SPI Enter the value of the Local SPI.

Remote SPI Enter the value of the Remote SPI.


of 96

Encryption Algorithm Select the encryption algorithm that would be used by communicating parties for integrity of exchanged data for phase 1.

Supported Encryption algorithms: DES, 3DES, AES128, AES192, AES256.

3DES – Triple DES is a symmetric strong encryption algorithm that is compliant with the OpenPGP standard. It is the application of DES standard where three keys are used in succession to provide additional security.

AES – Advanced Encryption Standard offers the highest standard of security. The effective key lengths that can be used with AES are 128, 192 and 256 Bits. This security system supports a number of encryption algorithms.

Inbound Encryption Key

Enter the hexadecimal (hex) value of the Inbound Encryption Key based on the Encryption Algorithm selected.

Outbound Encryption Key

Enter the hexadecimal (hex) value of the Outbound Encryption Key based on the Encryption Algorithm selected.


Select the Authentication Algorithm that would be used by communicating parties for integrity of exchanged data for phase 2.

Supported Authentication Algorithms: MD5, SHA1

A maximum of three combination of encryption and authentication algorithm can be selected. The remote peer must be configured to use at least one of the defined combinations.

Click to add more than one combination of encryption and authentication algorithm

Inbound Authentication Key (Hex)

Enter the hexadecimal (hex) value of the Inbound Authentication Key based on the Authentication Algorithm selected.

Outbound Authentication Key (Hex)

Enter the hexadecimal (hex) value of the Inbound Authentication Key based on the Authentication Algorithm selected.

Table – Add VPN Policy screen elements


of 96

IPSec

(IP Security) IPSec is a suite of protocols designed to assist cryptographically secure communications at the IP layer (layer 3).

IPSec protocols:

Authentication Header (AH) – Used for the authentication of packet senders and for ensuring the integrity of packet data. The AH protocol checks the authenticity and integrity of packet data. In addition, it checks if the sender and receiver IP Addresses have not been changed in transmission. Packets are authenticated using a checksum created by using a (Hash-based Message Authentication Code) HMAC in connection with a key.

Encapsulating Security Payload (ESP) – Used for encrypting the entire packet and for authenticating its contents. In addition to the encryption, the ESP offers the ability to authenticate senders and verify packet contents.

IPSec modes:

Transport Mode – The original IP packet is not encapsulated in another packet. The original IP header is retained, and the rest of the packet is sent either in clear text (AH) or encrypted (ESP). Either the complete packet can be authenticated with AH, or the payload can be encrypted and authenticated using ESP. In both cases, the original header is sent over the WAN in clear text. Use Transport Mode where both endpoints understand IPSec directly. Transport Mode is used between peers supporting IPSec, or between a host and a gateway, if the gateway is being treated as a host.

Tunnel Mode – The complete packet – header and payload – is encapsulated in a new IP packet. An IP header is added to the IP packet, with the destination address set to the receiving tunnel endpoint. The IP Addresses of the encapsulated packets remain unchanged. The original packet is then authenticated with AH or encrypted and authenticated using ESP. Tunnel Mode is primarily used for interoperability with gateways or end systems that do not support L2TP/IPSec or PPTP VPN site-to-site connections.

IPSec connections types (for Tunnel mode only):

Remote Access – This type of VPN is a user-to-internal network connection via a public or shared network. Many large companies have employees that need to connect to the Internal network while they are on-field. These field agents access the Internal network by using remote computers and laptops without static IP Address.

Site-to-Site – A Site-to-Site VPN connects an entire network (such as a LAN or WAN) to a remote network by way of a network-to-network connection. A network-to-network connection requires routers on each side of the connecting networks to transparently process and route information from one node on a LAN to a node on a remote LAN.

Host-to-Host – Host-to-Host VPN connects one desktop or workstation to another by the way of a host-to-host connection. This type of connection uses the network to which each host is connected to create the secure tunnel to each other.

Connection

Failover Group


of 96

Manage IPSec Connection

To manage IPSec connections, go to VPN > IPSec > Connection.

Note IPSec connection – On deletion of the connection, the Appliance does not delete its related hosts and Firewall Rules related to the connection. Manual intervention is required to delete them. Remote Access connection – On deletion of the connection, the Appliance deletes all the dynamically created hosts and Firewall Rules related to the connection.

Screen – Manage IPSec Connections


Name Displays the name for the IPSec Connection.

Group Name Displays the name for Failover Group.

Policy Displays the name of the VPN Policy selected.

Point to the policy link to view or edit the policy details.

Connection Type Displays the type of Connection selected: Remote Access, Site-to-Site or Host-to-Host.

Status (Active/Connection)

Displays status of the Connection.

– Activated and Disconnected. Click to initiate the connection.

– Activated and Connected. Click to disconnect the connection. When you disconnect, connection will be deactivated and to re-establish the connection, activate connection.

– Activated but Partially connected. Click to disconnect the connection. When multiple subnets are configured for LAN and/or remote network, the Appliance creates a sub-connection for each subnet. Connection Status in Yellow color indicates that one of the sub-


of 96

connection is not active.

Clicking any of the above icon will toggle its status from Activated and Connected to Activated and Disconnected and vise-versa. A confirmation pop up prompting the same will be displayed.

Remote Gateway Displays the Remote VPN Server IP Address selected as the Remote Gateway.

Local Subnet Displays an IP Host selected as Local Subnet.

X-Auth Displays the Authentication Mode selected: Enabled as Server, Enabled as Client or Disabled.

Remote Subnet Displays an IP Host selected as Remote Subnet.

Remote ID Displays a value for Remote ID selected.

For Preshared Key and RSA Key, DER ASN1 DN (X.509) is not applicable.

Authentication Type Displays the type of Authentication selected – Preshared Key, Digital Certificate or RSA Key.

Authentication of user depends on the connection type.

Action on VPN Restart Displays the Action taken on the connection when VPN services or Appliance restarts – Respond Only, Initiate or Disable.

Local ID Displays the value for local ID selected - DNS, IP Address, Email Address or DER ASN1 DN (X.509).


In case of Local Certificate, ID and its value is displayed automatically as specified in the Local Certificate.

Export Icon Click the Export Icon to export the connection configuration file.

Export icon is available for Remote Access connection only.

Table – Manage IPSec Connections screen elements

IPSec Connection Parameters

To add or edit VPN connections, go to VPN > IPSec > Connection. Click the Add Button to

add a new connection or Edit Icon in the Manage column against the connection to be modified.

Following are the VPN connection modes/types in Cyberoam.


of 96

Parameters – Remote Access VPN Connection

Screen – Add Remote Access IPSec Connection


General Settings

Name Specify a name to identify the IPSec Connection.

Description Provide description for the IPSec Connection.

Connection Type Remote Access.

Policy Select the policy to be used for connection.

Policy can also be added by clicking “Add Policy” link.


of 96

Action on VPN Restart Select the Action to be taken on the connection when VPN services or the Appliance restarts.

Available Options:

Respond Only – Keep connection ready to respond to any incoming request.

Disable – Keep connection disabled till the user activates.

Authentication Details

Authentication Type

Select Authentication Type. Authentication of user depends on the connection type.

Available Options:

Preshared Key authentication is a mechanism whereby a single key is used for encryption and decryption. Both the peers should possess this Preshared Key. Remote peer uses the same Preshared Key for decryption. On selecting this option the user will be required to provide the following details:

Preshared Key – Specify the Preshared Key to be used. Preshared Key should be of minimum 5 characters.

Confirm Preshared Key – Provide the same Preshared Key to confirm it.

This Preshared Key will have to be shared or communicated to the peer at the remote end. At the remote end, client will have to specify this key for authentication. Refer to VPN Client guide, Phase 1 Configuration.

If there is a mismatch in the key, the user will not be able to establish the connection.

Digital Certificate authentication is a mechanism whereby sender and receiver both use digital certificate issued by the Certificate Authority. Both sender and receiver must have each other’s Certificate Authority.

Local Certificate – Select the local certificate that


of 96

should be used for authentication by Cyberoam.

Remote Certificate – Select the remote certificate that should be used for authentication by remote peer.

Endpoints Details

Local Select Local WAN port from the list.

Remote Specify an IP Address or domain name of the remote peer.

Local Network Details

Local Subnet Select Local LAN Address.

Add and Remove LAN Address using Add Button and Remove Button.

Local ID For Preshared Key and RSA Key, select any type of ID from the available options and specify its value.

Available Options:

DNS

IP Address

Email

DER ASN1 DN (X.509)

DER ASN1 DN (X.509) is not applicable.


Remote Network Details

Allow

NAT Traversal

Enable NAT traversal if a NAT device is located between your VPN endpoints. This is observed when the remote


of 96

peer has a private/non-routable IP address.

At a time only one connection can be established behind one NAT-box.

Remote LAN Network Select IP Hosts from the list of IP Hosts available.

You can also add a new IP Host and include it in the list by clicking “Add IP Host” link.

Remote ID For Preshared Key, select any type of ID from the available options and specify its value.

Available Options:

DNS

IP Address

Email

DER ASN1 DN (X.509)


User Authentication

User Authentication Mode

Select whether User Authentication is required at the time of connection or not from the available options.

Available Options:

Disabled – Click Disable if user authentication is not required.

Enable as Client – If enabled as client, specify username and password.

Enable as Server – If enabled as server, add all the users which are to be allowed to connect.

Quick Mode Selectors

Protocol Select all the protocols that are to be allowed for negotiations.

The Tunnel will pass only that data which uses the specified protocol.


of 96

Available Options:

All

ICMP

UDP

TCP

Local Port Specify Local Port for TCP or UDP.

Remote Port Specify Remote Port for TCP or UDP.

Advanced Settings

Disconnect when tunnel is idle

Click this option to allow Cyberoam to delete an Idle VPN Session if it exceeds the specified Idle session time interval.

Default - Disable

Idle session time interval

(Only if Disconnect when tunnel is idle option is “Enabled”)

Specify the time limit after which an Idle VPN Session will be deleted by Cyberoam.

Acceptable Range – 120 to 999

Table – Add Remote Access VPN Connection screen elements


of 96

Parameters – Site-to-Site VPN Connection

Screen – Add Site to Site IPSec Connection


General Settings


Description Provide description for the IPSec Connection.

Connection Type Site-to-Site.

Policy Select the policy to be used for the connection.

Action on VPN Restart Select the Action to be taken on the connection when VPN services or the Appliance restarts.


of 96

Available Options:

Respond Only – Keep connection disabled till the user responds.

Initiate – Activate connection on system/service start so that the connection can be established whenever required.



Authentication Type

Select Authentication Type. Authentication of user depends on the connection type.

Available Options:

Preshared Key authentication is a mechanism whereby a single key is used for encryption and decryption. Both the peers should possess this Preshared Key. Remote peer uses the same Preshared Key for decryption. On selecting this option the user will be required to provide the following details:






Local Certificate – Select the local certificate that should be used for authentication by Cyberoam


RSA Key authentication is a mechanism whereby two keys – Local and Remote RSA - are used for encryption and decryption.

Local RSA Key – known only to the owner and never transmitted over network. Displays automatically generated key which cannot be modified.

A Local RSA key can be regenerated from CLI Console.


of 96

Refer to Console guide for more details.

Remote RSA Key – Administrator will be required to provide the RSA Key.

Endpoints Details


Remote Specify IP Address or domain name of the remote peer.

Click Add icon against the option “Remote” to add new endpoint pairs or click Remove icon to remove the endpoint pairs.

Name Specify a name for connection.

Failover Group Name Specify a name for Failover Group.

Failover Mail Notification

Enable Mail Notification to receive Connection failure notification in case of connection failure. Notification is mailed on the Email Address configured in the Email Settings from the Notification Configuration Wizard.

Failover Condition IF

Specify Failover Condition. The Appliance checks for connection failure after every 60 seconds and if failure is detected, VPN traffic is transferred through the subsequent connection specified in the Connection Group. The Appliance considers connection as Failed if:

Remote server does not reply – for Site-to-Site connection.

Specify communication Protocol (TCP, UDP, PING). Select the protocol depending on the service to be tested on the remote server or local gateway depending on the type of connection.

A request on the specified port is sent and if it is not responding, the Appliance considers the Connection as failed and shifts the traffic to the subsequent connection.

Failover time can be configured from Network > Gateway.

Failover Condition is not applicable if:

Connection is manually disconnected from either of the ends.

Connection is not included in any Group.



of 96


Add and Remove LAN Address using Add Button and Remove Button.

Select “NAT Local LAN” if private address is to be.

NATed LAN

(only if NAT Local LAN is configured)

Select IP Host or Network Host from the available list.

IP Host can also be added by clicking on the “Add IP Host” link.

Local ID For Preshared Key and RSA Key, select any type of ID from the available options and specify its value.

Available Options:

DNS

IP Address

Email

DER ASN1 DN (X.509)



of 96

In case of Local Certificate, the ID and its value is displayed automatically as specified in the Local Certificate.


Allow

NAT Traversal

Enable NAT traversal if a NAT device is located between your VPN endpoints. This is observed when the remote peer has a private/non-routable IP address.


Remote LAN Network Select IP Addresses and Netmask of the remote network which is allowed to connect to the Appliance server through VPN tunnel. Multiple subnets can be specified. Select IP Hosts from the list of IP Hosts available. You can also add a new IP Host and include in the list.


Available Options:

DNS

IP Address

Email

DER ASN1 DN (X.509)


In a single connection, same subnet for LAN and Remote Network cannot be configured.

User Authentication



Available Options:





of 96


Protocol Select the protocols that are to be allowed for negotiations.

Tunnel will pass only that data which uses the specified protocol.

Available Options:

All

ICMP

UDP

TCP



Advanced Settings



Default - Disable





Table – Add Site to Site VPN Connection screen elements


of 96

Parameters – Host-to-Host VPN Connection

Screen – Add Host-to-Host IPSec Connection


General Settings


Description Provide IPSec Connection Description.

Connection Type Host-to-Host.

Policy Select policy to be used for connection.


of 96

Action on VPN Restart Select the Action to be taken on the connection when VPN services or Appliance restarts.

Available Options:

Respond Only – Keep connection in disabled till the user responds.




Authentication Type Select Authentication Type. Authentication of user depends on the connection type.

Available Options:

Preshared Key authentication is a mechanism whereby a single key is used for encryption and decryption. Both the peers should possess the Preshared Key. Remote peer uses the Preshared Key for decryption. On selecting this option the user will be required to provide the following details:

Preshared Key – Specify the preshared key to be used. Preshared Key should be of minimum 5 characters.









of 96

Local RSA Key – It is known only to the owner and never transmitted over network. Displays automatically generated key which cannot be modified.

Local RSA key can be regenerated from CLI Console. Refer to Console guide for more details.

Remote RSA Key – Administrator shall require to provide the RSA Key.

Endpoints Details


Remote Specify IP Address or domain name of the remote peer.

Click Add icon against the option Remote to add new endpoint pairs or click Remove icon to remove the endpoint pairs.

Name Specify a name for connection.

Failover Group Name Specify a name for Failover Group.

Failover Mail Notification

Enable Mail Notification to receive Connection in case of connection failure Notification is mailed on the Email Address configured in Email Settings from the Notification Configuration Wizard.

Failover Condition Specify Failover Condition. The Appliance checks for connection failure after every 60 seconds and if failure is detected, VPN traffic is transferred through the subsequent connection specified in the Connection Group. The Appliance considers connection as Failed connection if:

Remote server does not reply – for Site-to-Site connection.

Specify communication Protocol (TCP, UDP, PING). Select the protocol depending on the service to be tested on the remote server or local gateway depending on type of connection.

A request on the specified port is sent and if it is not responding,the Appliance considers the Connection as failed and shifts the traffic to the subsequent connection.

Failover time can be configured from Network > Gateway.





Local ID For Preshared Key and RSA Key, select any type of ID


of 96

from the available options and specify its value.

Available Options:

DNS

IP Address

Email

DER ASN1 DN (X.509)




Allow NAT Traversal Enable NAT traversal if a NAT device is located between your VPN endpoints. This is observed when the remote peer has a private/non-routable IP address.


Default - Enabled

Remote LAN Network Select IP Addresses and Netmask of the remote network which is allowed to connect to the Appliance. Multiple subnets can be specified. Select IP Hosts from the list of IP Hosts available on the Web Admin Console.

You can also add a new IP Host.


Available Options:

DNS

IP Address

Email

DER ASN1 DN (X.509)


User Authentication


of 96



Available Options:





Protocol Select all the protocols that are to be allowed for negotiations.

Tunnel will pass only that data which uses the specified protocol.

Available Options:

All

ICMP

UDP

TCP



Advanced Settings



Default - Disable





Table – Add Host-to-Host VPN Connection screen elements


of 96

VPN Connection Wizard

The VPN Connection Wizard walks you step-by-step through the configuration of a VPN connection on the Appliance. After the configuration is completed, the wizard creates a new VPN connection.

The Wizard is divided into two panels – Configuration panel and Help panel. The Configuration parameters are to be entered in the Configuration panel while the Help panel on left-most side provides the help on the configuration parameters.

The first screen of the wizard provides the overview of the configuration steps. You can create three types of connections through wizard:

1. Remote Access

2. Site to Site

3. Host to Host

IPSec connections can also be configured using the Wizard Button other than directly configuring

through the Add option. To configure IPSec connection using Wizard, go to VPN > IPSec >

Connection and click Wizard Button.

Add Remote Access Connection

Screen 1 – IPSec Connection using Wizard


Name Specify a name to identify the IPSec Remote Access Connection.

Description Specify IPSec Connection Description.

Table – VPN Connection Wizard screen elements


of 96

Screen 2 – Select Connection Type


Connection Type Select Remote Access.

Policy All the policies defaults’ as well as custom policies will be available for selection.

Action Select the action for the connection.

Available Options:

Respond Only - Keep connection disabled till the user responds

Disable - Keep connection disabled till the user activates

Table – Select Connection Type screen elements


of 96

Screen 3 – Remote Access: Authentication Details



Authentication Type Select Authentication Type. Authentication of the user depends on the connection type.

Available Options:

Preshared key authentication is a mechanism whereby a single key is used for encryption and decryption. Both the peers should possess the Preshared Key. Remote peer uses the Preshared Key for decryption. On selecting this option the user will be required to provide

Preshared Key – Specify the preshared key to be used. Preshared key should be of minimum 5 characters.

Confirm Preshared Key – Provide the same preshared key to confirm it.


If there is a mismatch in the key, the user will not be


of 96

able to establish the connection.

Digital Certificate authentication is a mechanism whereby sender and receiver both use digital certificate issued by the Certificate Authority. Both sender and receiver must have each other’s Certificate Authority. On selecting this option the user shall require to provide

Local Certificate – Select the local certificate that should be used for authentication by the Appliance.


Table – Remote Access: Authentication Details screen elements

Screen 4 – Remote Access: Local Network Details



Local WAN Port Select the WAN Port which will act as an end-point of the tunnel.



of 96

Local ID For Preshared Key select any type of ID and specify its value.



Table – Remote Access: Local Network Details screen elements

Screen 5 – Remote Access: Remote Network Details



Remote VPN Server Select IP Address of remote peer/host.


of 96

Specify * for any IP Address.

Allow

NAT Traversal



Remote Subnet Select IP Hosts from the list of IP Hosts available.

Remote ID For Preshared Key, select any type of ID and specify its value, DER ASN1 DN (X.509) is not applicable.

Table – Remote Access: Remote Network Details screen elements

Screen 6 – Remote Access: User Authentication


of 96


User Authentication



Available Options:




Table – Remote Access: User Authentication screen elements

After completion of the IPSec connection configuration, Summary of the same shall be displayed on the consecutive page.

If the connection is successfully added then it will be added on the Connection page and Successful message will be displayed.

Screen 7 – Remote Access: IPSec Connection Summary


of 96

Screen 8 – Created Remote Access Connection


of 96

Add Site to Site Connection



Name Specify a name to identify the IPSec Site to Site Connection.




of 96



Connection Type Select Site to Site.

Select Base Location Base Location is the location from where the connection will be established.

Available Options:

Head Office

Branch Office

Policy All the policies, default as well as custom will be available for selection.

Action Select Action for connection from the available options.

Available Options:

Respond Only – Keep connection in disabled till the user responds.



Table – Site To Site: Select Connection Type screen elements


of 96

Screen 3 – Site To Site: Authentication Details




Available Options:

Preshared key authentication is a mechanism whereby a single key is used for encryption and decryption. Both the peers should possess the Preshared Key. Remote peer uses the Preshared Key for decryption. On Selecting this option the user will be required to provide




If there is mismatch in the key, the user will not be able to establish the connection.


of 96

Digital Certificate authentication is a mechanism whereby sender and receiver both use digital certificate issued by the Certificate Authority. Both sender and receiver must have each other’s Certificate Authority. On selecting this certificate the option the user shall require to provide




Local RSA Key – It is known only to the owner and never transmitted over network. Displays automatically generated key which cannot be modified. Local RSA Key can be regenerated from CLI Console. Refer to Console guide for more details.


Table – Site To Site: Authentication Details screen elements


of 96

Screen 4 – Site To Site: Local Network Details



Local WAN Port Select the WAN Port which will act as an end point of the tunnel.



of 96

Local ID For Preshared Key and RSA Key, select any type of ID and specify its value.



Table – Site To Site: Local Network Details screen elements

Screen 5 – Site to Site: Remote Network Details



Remote VPN Server Specify the IP Address of remote peer/host. Specify * for any IP Address.

Remote Subnet Select IP Addresses and Netmask of remote network which is allowed to connect to the Appliance server through the VPN tunnel. Multiple subnets can be specified. Select the IP Hosts from the list available. You can also add a new IP Host and include it in the list.


of 96

Remote ID For a Preshared Key, select any type of ID and specify its value, DER ASN1 DN (X.509) is not applicable.

In a single connection, same subnet for LAN and Remote network cannot be configured.

Table – Site To Site: Remote Network Details screen elements

Screen 6 – Site to Site: User Authentication


User Authentication

User Authentication Select whether User Authentication is required at the time


of 96

Mode of connection or not from the available options.

Available Options:

Disabled – Click Disable if User Authentication is not required.

Enable as Client – If enabled as client, specify Username and Password.

Enable as Server – If Enabled as Server, add all the users which are to be allowed to connect.

Table – Site To Site: User Authentication screen elements


If the connection is successfully added then it will be added on the Connection page and a message prompting the same will be displayed.


of 96

Screen 7 – Site To Site: IPSec Connection Summary

Screen 8 – Created Site To Site Connection


of 96

Add Host to Host Connection







of 96



Connection Type Select Host to Host.

Policy All the policies, default as well as custom will be available for selection.

Action Select the action for connection from the available options.

Available Options:




Table – Select Connection Type screen elements


of 96

Screen 3 – Host To Host: Authentication Details



Authentication Type Select Authentication Type. Authentication of the user depends on the connection type.

Available Options:

Preshared Key authentication is a mechanism whereby a single key is used for encryption and decryption. Both the peers should possess the Preshared Key. Remote peer uses the Preshared Key for decryption. On Selecting this option the user will be required to provide






of 96

Digital Certificate authentication is a mechanism whereby sender and receiver both use digital certificate issued by the Certificate Authority. Both sender and receiver must have each other’s Certificate Authority. On selecting this certificate the option the user shall require to provide

Local Certificate – Select the local certificate that should be used for authentication by the Appliance.



Local RSA Key – It is known only to the owner and never transmitted over network. Displays automatically generated key which cannot be modified. Local RSA Key can be regenerated from CLI Console. Refer to Console guide for more details.


Table – Host To Host: Authentication Details screen elements

Screen 4 – Host To Host: Local Network Details


of 96



Local WAN Port Select WAN Port which will act as end point of the tunnel.

Local ID For a Preshared Key and RSA Key, select any type of ID and specify its value.


In case of a Local Certificate, the ID and its value is displayed automatically as specified in the Local Certificate.

Table – Host To Host: Local Network Details screen elements

Screen 5 – Host To Host: Remote Network Details



Remote VPN Server Select the IP Address of remote peer/host. Specify * for any IP Address.

Allow

NAT Traversal



Default - Enabled

Remote Subnet Select the IP Addresses and Netmask of remote network which is allowed to connect to the Appliance server


of 96

through VPN tunnel. Multiple subnets can be specified. Select the IP Hosts from the list of available Hosts.

You can also add a new IP Host.

Remote ID For a Preshared Key, select any type of ID and specify its value, DER ASN1 DN (X.509) is not applicable.

Table – Host To Host: Remote Network Details screen elements

Screen 6 – Host To Host: User Authentication


User Authentication

User Authentication Select whether User Authentication is required at the time


of 96

Mode of connection or not from the available options.

Available Options:


Enable as Client – If enabled as client, specify Username and Password.

Enable as Server – If Enabled as Server, add all the users which are to be allowed to connect.

Table – Host To Host: User Authentication screen elements


If the connection is successfully added then it will be added on the Connection page and a message prompting the same will be displayed.


of 96

Screen 7 – Host To Host: IPSec Connection Summary

Screen 8 – Created Host To Host Connection


of 96

Failover Group

Connection Failover

Connection Failover is a feature that enables to provide an automatic backup connection for VPN traffic and provide “Always ON” VPN connectivity for IPSec connection. If the primary connection fails, the subsequent connection in the Group will take over without manual intervention and keep the traffic moving. The entire process is transparent to users. For example if the connection established using 4th Connection in the Group is lost then 5th Connection will take over. Once the 4th Connection is re-stored, 5th connection will automatically fail back on 4th connection

Connection Failback

During a connection failure, appliance checks the health of a primary connection every 60 seconds. When the primary connection is restored without the administrator’s intervention, secondary connection fails back to the primary connection.

Connection Failover Group

To configure connection failover, you have to:

Create Connections.

Create Failover Group. Failover Group is the grouping of all the connections that are to be used for failover. The order of connections in the Group defines failover priority of the connection.

Define Failover condition.

A VPN group is a set of VPN tunnel configurations better known as. IPSec connections. The Phase 1 and Phase 2 security parameters for each connection in a group can be different or identical except for the IP Address of the remote gateway. The order of connections in the Group defines failover priority of the connection. Failover to the next connection will not occur if the group is manually deactivated.

The Failover Group containing the connection must be activated for the first time before participating in the failover.

The Appliance considers connection as Failed if:

Remote peer does not reply - for Net to Net and Host to Host connection.

Connections that are not a part of the Failover Group do not participate in failover/failback process and such connections will not be re-established automatically if lost.

Prerequisites Packets of the protocol specified in failover condition must be allowed from local server to remote server and its reply on both Local and Remote server One connection can be included in one Group only Connection must be ACTIVE to participate in failover

Behavior

1. Once the Connection is added as a member of the group, following parameters will be overridden as

Policy parameters - DPD as “Disable” and Key Negotiation Tries as 3

Connection parameter - Action on VPN Restart as “Disable”

Once the Connection is removed from the group, the original Policy and Connection configuration will be considered.


of 96

1. If the connection is already established at the time of adding it in the Failover Group, it will get disconnected.

2. On factory reset, failover configuration will not be retained.

Manage Failover Groups

To configure Failover condition for the Failover Groups, go to VPN > IPSec > Failover

Screen – Manage Connection Failover Group


Name Displays a name to identify the Group.

Status Displays status of the Connection.

- Activated and Disconnected.

- Activated and Connected.

- Activated but partially connected.

Connection Displays selected connection for Failover.

Table – Manage Connection Failover Groups screen elements

Failover Group Parameters

To add Failover Groups and failover conditions, go to VPN > IPSec > Failover Group. Click Add Button to add a new group. Failover Group Parameters are given below.

Screen – Add a Connection Failover Group


of 96


Connection Group Details

Name Specify a name for connection group.

Select Connection(s) “Available Connections” list displays the list of connections that can be added to the failover group. Click on the connections to be added to Member connections list. Cyberoam will select the subsequent active connection from Member Connections list if primary connection fails.

Top down order of connections in the Member Connections list specifies the failover preference i.e. if primary connection fails, the very next connection in the list will be used by Cyberoam to keep the VPN traffic moving.

Once the connection is included in any Group, it will not be displayed in “Available Connection” list.

Remote Access connections will not be listed in “Available Connections” list.

You need to define minimum 2 member connections in a Group.

Mail Notification Enable Mail Notification to receive Connection failure notification incase connection fails. Notification is mailed on the Email Address configured in Email Settings from the Network Configuration Wizard.

Failover Condition

IF Specify Failover Condition. Cyberoam checks for the connection failure after every 60 seconds and if failure is detected, VPN traffic is transferred through the subsequent connection specified in the Connection Group. Cyberoam considers connection as failed connection if Failover Conditions are not met.

Specify communication Protocol (TCP, UDP, PING). Select the protocol depending on the service to be tested on the remote server or local gateway depending on type of connection

A request on the specified port is sent and if it is not responding, The Appliance considers the Connection as Failed and shifts the traffic to the subsequent connection.

Failover time can be configured from Network >

Gateway.





of 96

Table – Add Connection Failover Group screen elements

CISCO™ VPN Client

To configure connection for CISCO™ VPN Client, go to VPN > CISCO™ VPN Client >

CISCO™ VPN Client.

Screen – Manage CISCO™ VPN Client

Screen Element Description

General Settings

CISCO™ VPN Client Select to enable CISCO™ VPN Client.

All the fields will be available for configuration, once CISCO™ VPN Client is enabled.

Default - Disabled

Interface Select an interface from the list of WAN ports.


Available Options:

Preshared Key authentication is a mechanism whereby a single key is used for encryption and decryption. Both the peers should possess the Preshared Key. Remote peer uses the Preshared Key for decryption. On selecting this option the user will be required to provide:



of 96





Local Certificate – Select the local certificate that should be used for authentication by the appliance.


Local ID Specify value for local ID selected.

Available Options:

DNS

IP Address

Email Address

DER ASN1 DN (X.509)



Remote ID Specify value for Remote ID selected.

Available Options:

DNS

IP Address

Email Address

DER ASN1 DN (X.509)


Allowed User Provide all the users, which are to be allowed to connect to the configured CISCO™ VPN Client for Apple iOS.

Client Information


of 96

Name Provide name to be displayed.

Assign IP from Specify the IP Address range. Cyberoam IPSEC server will lease IP Address to the Cisco™ IPSEC client from the specified IP Address range.

Do not specify the same IP Address range in L2TP configuration and PPTP configuration.

Allow leasing IP Address from Radius server for L2TP, PPTP and CISCO VPN Client

Click to lease IP Address to the L2TP, PPTP and CISCO VPN Client users through the Radius Server.

Radius is a protocol that allows network devices to authenticate users against a central database. It can also store technical information used by network devices.

If enabled, the configured IP Address is overridden with the IP Address provided by the Radius Server.

Default - Disable

DNS Server 1 Provide a DNS Server IP Address to be pushed to CISCO VPN Clients.

DNS Server 2 Provide a DNS Server IP Address to be pushed to CISCO VPN Clients.

Advanced Settings



Default - Disable





Export Connection Click to export Cisco VPN Client Configuration.

This option will be enabled only when Cisco VPN connection is configured.

Reset Click to delete all the client configurations.

Table – Manage CISCO™ VPN Client screen elements


of 96

L2TP

You can use Layer 2 Tunnelling Protocol (L2TP) to create VPN tunnel over public networks such as the Internet. For authentication, currently Cyberoam supports only Password Authentication Protocol (PAP) algorithm.

Configuration

Connection

Configuration

To manage L2TP configuration, go to VPN > L2TP > Configuration.

Screen – Configure L2TP


Enable L2TP Click to enable L2TP.

General Settings

Assign IP From Specify IP Address range if L2TP server has to lease IP Addresses.

Allow leasing IP Address from Radius server for L2TP,PPTP and CISCO VPN Client

Click to lease IP Address to the L2TP users through the Radius Server.

Radius Server is a protocol that allows network devices to authenticate users against a central database. It can also store technical information used by network devices.


Default – Disable

Client Information

Primary DNS Server Select Primary DNS Server from the list.


of 96

Alternately, you can also specify DNS Server by choosing “Other” from the list.

Secondary DNS Server Specify Secondary DNS server.

Alternately, you can also specify DNS Server by choosing “Other” from the list.

Primary WINS Server Specify WINS Server.

Secondary WINS Server

Specify Alternate WINS Server.

Table – Configure L2TP screen elements

Add L2TP Members

Click “Add Member(s)” button to add user or user groups to L2TP members list. A pop-up window is displayed to select the users. You can also select multiple users or user groups.

Screen – Add L2TP Members

Select Users or user groups who are to be allowed access through L2TP connection. Click ‘Apply’ button to add these users and user groups to the L2TP members list.

You can also search for users or user groups to be added to the Members list.

View L2TP Members

Click “Show L2TP Members” button to view user or user groups that are in L2TP members list. A pop-up window is displayed to view the users. You can also select multiple users or user groups and delete them.


of 96

Screen – View L2TP Members

The page displays the list of L2TP members who are allowed access through L2TP connection. To

delete users, select the users to be deleted and click “Delete” button.

You can also search for users or user groups to be deleted from the Members list.


of 96

Manage L2TP Connection

To manage L2TP connections, go to VPN > L2TP > Connection.

Screen – Manage L2TP Connection


Name Displays a name for the L2TP Connection.

Policy Displays a name for the VPN Policy selected.

Point to the policy link to view or edit the policy details.

Authentication Type Displays type of Authentication selected: Preshared Key or Digital Certificate.

Status Displays status of the Connection.

– Activated and Disconnected. Click to initiate the connection.

– Activated and Connected. Click to disconnect the connection. When you disconnect, connection will be deactivated and to re-establish connection the connection, activate connection.

– Activated but Partially connected. Click to disconnect the connection. When multiple subnets are configured for LAN and/or remote network, Cyberoam creates sub-connection for each subnet. Connection Status in Yellow color indicates that one of the sub-connection is not active.

Clicking any of the above icon will toggle its status from Activated and Connected to Activated and Disconnected and vise-versa. A confirmation pop up prompting the same will be displayed.

Table – Manage L2TP Connections screen elements


of 96

L2TP Connection Parameters

To add or edit L2TP connections, go to VPN > L2TP > Connection. Click Add Button to add

a new connection or Edit Icon to modify the details of the connection. The L2TP connection Parameters are given below.

Screen – Add a L2TP Connection


General Settings

Name Specify a name to identify the L2TP Connection.

Description Provide description for L2TP connection.

Policy Select policy to be used for L2TP connection.

Action on VPN Restart Select an action for the connection.


of 96

Available Options:



Disable – Keep connection disabled till the user activates



Available Options:

Preshared Key authentication is a mechanism whereby a single key is used for encryption and decryption. Both the peers should possess the Preshared Key. Remote peer uses the Preshared Key for decryption. On selecting this option the user will be required to provide the following details:






Select the Local Certificate that should be used for authentication by Cyberoam.


Local WAN Port Select Local WAN Port.

Local ID For a Preshared Key and RSA Key, select any type of ID from the available options and specify its value.

Available Options:

DNS

IP Address

Email


of 96

DER ASN1 DN (X.509)


In case of a Local Certificate, ID and its value is displayed automatically as specified in the Local Certificate.


Remote Host Specify IP Address of remote peer/host. Specify * for any IP Address.

Allow NAT Traversal Enable NAT traversal if a NAT device is located between your VPN endpoints. This is observed when the remote peer has a private/non-routable IP address.


Default - Enabled

Remote LAN Network Select IP Addresses and Netmask of the remote network which is allowed to connect to the Appliance. Multiple subnets can be specified. Select IP Hosts from the list of IP Hosts available. You can also add a new IP Host and include in the list.

Remote ID For a Preshared Key, select any type of ID and specify its value.

Available Options:

DNS

IP Address

Email

DER ASN1 DN (X.509)





Advanced Settings

Disconnect when Click this option to allow Cyberoam to delete an Idle VPN


of 96

tunnel is idle Session if it exceeds the specified Idle session time interval.

Default - Disable





Table – Add L2TP Connections screen elements


of 96

PPTP

The Appliance supports PPTP to tunnel PPTP traffic between two VPN peers. Windows or Linux PPTP clients can establish a PPTP tunnel with an Appliance that has been configured to act as a PPTP server.

PPTP Configuration

To manage PPTP configuration, go to VPN > PPTP > Configuration.

Screen – Configure PPTP


Enable PPTP Click to enable L2TP.

General Settings

Assign IP From Specify the IP Address range. The PPTP server will lease an IP Address to the PPTP client from the specified IP Address range. The PPTP client uses the assigned IP Address as its source address for the duration of the connection.

Do not specify the same IP Address range in L2TP configuration and PPTP configuration.

Allow leasing IP Address from Radius server for L2TP,PPTP and CISCO VPN Client

Click to lease the IP Address to the PPTP user(s) through the Radius Server.

Radius Server is a protocol that allows network devices to authenticate users against a central database. It can also store technical information used by network devices.


Default - Disable

Client Information


of 96

Primary DNS Server Specify the DNS Server to be used at the client end.

Secondary DNS Server Specify the Alternate DNS server to be used at the client end.

Primary WINS Server Specify the WINS Server to be used at the client end.

Secondary WINS Server

Specify the Alternate WINS Server to be used at the client end.

Table – Configure PPTP screen elements

Add PPTP Members

Click “Add Member(s)” button to add user or user groups to PPTP members list. A pop-up window is displayed to select the users. You can also select multiple users or user groups.

Screen – Add PPTP Members

Select the users or user groups who are to be allowed access through PPTP connection. Click the Apply button to add these users and user groups to the PPTP members list.

You can also search for users or user groups to be added to the Members list.


of 96

View PPTP Members

Click the “Show PPTP Members” button to view user or user groups that are in PPTP members list. A pop-up window is displayed to view the users. You can also select multiple users or user groups and delete them.

Screen – View PPTP Members

The page displays a list of PPTP members who are allowed access through PPTP connection. To

delete users, select the users to be deleted and click the “Delete” button.

You can also search for users or user groups to be deleted from the Members list.


of 96

Live Connections

Live Connections display live VPN connections in the Appliance. The two different types of live connections can be managed i.e. IPSec and SSL VPN connections.

IPSec Connections

SSL VPN Users

IPSec Connections

View the list of all the connected IPSec tunnels from VPN > Live Connections > IPSec

Connections.

This page displays a list of all the connected IPSec tunnels and you can filter this list based on the Connection Name, Local Server Name, Local Subnet, User Name, Remote Server/Host or Remote Subnet.

This page allows the Administrator to disconnect any of the IPSec connection. Click the ‘Disconnect’ button to disconnect live connections.

Screen – Live IPSec VPN Connections


of 96

SSL VPN Users

This page allows you to the list of all the connected SSL VPN Users from VPN > Live

Connections > SSL VPN Users.

This page displays the list of all the currently logged SSL VPN users and you can filter the connections based on Time, User Name, Source IP Address, or Leased IP Address.

The Administrator can disconnect any of the IPSec connection displayed in this list. Click the ‘Disconnect’ button to disconnect live connections.

Screen – Live SSL VPN Connections

vpn management guide - sophos 10.x/10.6.2... · 2015-01-12 · vpn management guide page 6 of 96...

Documents